S 2.199 Maintaining information security

Initiation responsibility: IT Security Officer

Implementation responsibility: IT Security Officer

Security management is not only about reaching the desired level of security, but also about guaranteeing this level over the long term. To maintain and continuously improve the existing level of IT security, all security safeguards should be regularly reviewed.

The correct implementation as well as the feasibility of a security concept must be regularly reviewed. It is important to note that there is a difference between reviewing whether or not certain safeguards are suitable and effective in reaching the security goals set (completeness and update check) and checking the extent to which the security safeguards have been implemented in each area (information security audit).

The security safeguards planned in the security concept must be implemented in accordance with the implementation plan. The implementation status must be documented. Target dates and the use of resources must be monitored and controlled. Management must be informed regularly in this regard.

These reviews should be performed at predetermined times (at least once per year) and can also be held in the interim. In particular, information gained from security-relevant incidents, changes in the technical or technical/organisational environment, changes in security requirements or threats require that existing security safeguards are adapted. The results of every single review should be documented. It must also be specified what will be done with the results of the reviews because the information security can only be effectively maintained when the necessary corrective measures have been taken due to the results of the reviews.

In addition, unannounced reviews should be performed from time to time because announced checks often give a distorted picture of the subject under review.

The main aim of checks should be to eliminate shortcomings. In order for the checks to be accepted, it is important that this aim is understood by all people involved and that the checks do not have a didactic spirit. For this reason, it makes sense to talk to the people involved about possible solutions to problems during a check and to prepare corresponding remedies.

The government agency or company should specify how the tasks related to these reviews will be co-ordinated. For this purpose, it is necessary to specify which safeguards will be checked when and by whom so that no work is repeated and no areas in an organisation are left unchecked.

The existing security safeguards should be checked at least once per year. Furthermore, they should always be checked if:

Adherence to the security concept (security audit)

A security audit must check if the security safeguards are actually implemented and followed as planned in the security concept. Security audits also need to examine if the technical safeguards were implemented and configured correctly and if all planned detection measures (e.g. the evaluation of the log files) are actually being performed.

They might reveal that some security safeguards have not been implemented or that they are not producing the results intended in practice. In both cases the reasons for the discrepancy should be established. Possible corrective measures include the following, depending on the cause:

In every case a corrective measure should be suggested for every discrepancy. The people who will be responsible for implementing the corrective measure and the time at which it is to be implemented should also be established.

The purpose of a check is to eliminate sources of error. In order for checks to be accepted, it is extremely important that no person is humiliated or identified as a "culprit". If the employees have to fear such consequences there is a risk that they will not openly report vulnerabilities and security gaps known to them, but will try to conceal existing problems.

However, the response to violations of security policies should also be established in advance. Appropriate safeguards must be taken that help to avoid security incidents being repeated. These could include the restriction of access rights, for example.

If unauthorised activities by employees are discovered, the relevant superior should be informed so that appropriate consequences can be initiated.

Continuous improvement of the security concept (completeness and update check)

The security concept must be regularly updated, improved, and adapted to new general conditions. Regular checks must be performed to determine if the selected security safeguards are still suitable for achieving the security objectives. When performing these checks, it should also be examined if the security safeguards being used are efficient or if the security objectives could be achieved with other measures that use resources more sparingly.

For this reason, it is important to analyse external sources of knowledge, such as standards or technical publications, with regard to new technical and regulatory developments. Contacts with relevant bodies and interest groups dealing with security aspects also help the IS management team to expand and update the existing knowledge of security-relevant methods and solutions. In addition, these serve to establish valuable contacts with other IT Security Officers to learn about solutions of other organisations and to exchange practical experience. Another effect is that ways are created that can be used to exchange early warnings on emerging security problems. The IS management team should have an overview of thematically suitable bodies and interest groups and establish where active involvement is appropriate and where only the results should regularly be observed and analysed.

Performing the checks

The scope and depth of the reviews must be defined corresponding to the purpose of the particular checks. The security concept and the current documentation of the security process serve as the foundation of all reviews.

Each review must be performed by people with suitable qualifications. These people must not have been involved in the creation of the concepts, though, in order to avoid blind spots and conflicts. The examiners or auditors must be as independent and neutral as possible.

Every single review must be carefully planned and executed. All relevant discoveries and results are to be documented in a report. This report should contain an assessment as well as suggestions for correction. The report should be handed over to the head of the area reviewed as well as to the IS management team who must design the next steps on this basis. Serious problems should be reported directly to the management so that they can make wide-ranging decisions promptly.

If special audit or diagnostic tools are used for the review, then it must be ensured that only authorised people have access to them, and this also applies to the documentation of the results. Diagnostic and audit tools as well as the audit results therefore require special protection.

If external personnel is involved in reviews it must be ensured that none of the organisation's information is misused (e.g. by means of corresponding non-disclosure agreements) and that they only have access to the required information (e.g. by means of access rights or dual control principle). If they use audit tools there must be clear rules on their use.

Corrective measures

All errors and vulnerabilities detected must be eliminated promptly. The optimisations identified to increase the efficiency and effectiveness of the security safeguards must be implemented.

The decision of how to proceed further must be based on the results of the reviews. In particular, all necessary corrective measures must be documented in an implementation plan. The people responsible for implementing the corrective measures must be stated, and they must be provided with the necessary resources.

Review questions:

© Federal Office for Information Security. All rights reserved.